Corporate Layoffs Create Security Havoc For IT Pros

Big corporate layoffs are causing a security nightmare for IT workers, who scramble to close down network connections and plug up dangerous holes as employees are walked out the door.

Big corporate layoffs are creating a nightmare of security risks as IT workers scramble to close down network connections and plug up dangerous holes as employees are walked out the door.

For companies like bankrupt energy trader Enron Corp. and now financially embarrassed WorldCom Inc., laying off thousands of employees means there simply may be too many security holes to patch up before employees are given their pink slips. And that means there are many ways back into the company's network for any disgruntled employee who would like some revenge to help make up for a lost job and possibly squandered retirement funds and stock options.

"In my view, it's got to be nearly impossible to fill that many gaps in network access," says Dan Woolley, a vice president at Reston, Va.-based SilentRunner Inc., a wholly owned subsidiary of Raytheon. "Even when you layoff one or two people, there's so much work to do. You need to close down user names, passwords, remote access, shut down VPNs and collect security ID cards. And if the person was IT, you need to change route accesses and network accesses. It's a huge job. Try multiplying that by thousands of workers."

Woolley and other security analysts say companies fraught with financial troubles may be digging themselves a deeper hole if they don't fill up security gaps that strings of layoffs leave behind. A worker -- who would have more knowledge of the system and critical business information than a hacker ever would -- could destroy information or crash systems. They also could copy financial files, marketing or research plans and customer information that they could take to their next job or that they could sell to a competitor.

"If IT gets a couple hours or even a couple of days notice, can they get things shut down before their people get to them?" asks Woolley. "But if there are rumors...if people know it's coming, you just don't have time to protect yourself."

And if the company is perceived to have mislead employees about the state of its financial health, that's only going to increase employees' frustrations and anger -- and make them more likely to take advantage of any security vulnerabilities and strike out against the company.

Devastated And Disgruntled

"If I had joined WorldCom when the stock was $62 and now it's down to 40 cents, and I've lost my retirement, maybe my kids' college education fund...and I believed the company was being straight when they said it was turning around, and now I'm laid off, I would have to believe we'd all be disgruntled," says Woolley. "The risks there are significant."

That scene at WorldCom, which has announced plans to layoff about 17,000 workers after divulging that executives had cooked the books to the tune of about $4 billion, has been played out a lot in recent months. About 4,000 workers at Enron were shown the door just after Thanksgiving last year. Arthur Anderson, which has been dragged down in the mire surrounding Enron, is supposedly laying off 7,000 employees. And over at the new Hewlett-Packard Co., about 15,000 employees are expected to be let go in the wake of HP's merger with Compaq Computer.

But the layoffs don't have to be high-profile or come amid bad publicity and financial investigations to cause network vulnerabilities, warn analysts.

"There's always going to be the person who thinks, 'If they let me go, I'm going to make them pay,'" warns Charles Kolodgy, research manager of Internet Security Software at Framingham, Mass.-based IDC. "If he knows the company is in trouble, he could plant a Trojan or leave some malicious time bomb that could go off when his name appears on a layoff list. There have been a number of cases of people doing just that."

Mike Rasmussen, director of research and information security at Giga Information Group, says if thousands of workers are being laid off, it could take weeks to secure the network. That figure will multiple if IT hasn't kept complete documentation of each worker's individual access rights, passwords, user names, biometrics specifications and security cards.

Rasmussen says any company preparing for a layoff should start working on that documentation immediately. Woolley of SilentRunner, however, says that documentation needs to begin the day a worker is hired. Keep it up-to-date and complete as the worker progresses through the company.

"It's scary to be laid off," says Kolodgy. "It's a very disconcerting concept and it could compel people to do things they normally wouldn't do. That evil little guy in the back of your head says, 'Do this. Do that.' And if you feel like you've got nothing to lose, you might listen to him."

A big part of the effort to protect a network then, is balanced on how the workers are treated during and after their termination. A worker who is brought in to meet with her manager face-to-face to receive the news, and is offered a severance package and is given outplacement references and counseling options is, obviously, less likely to feel the need to harm the company.

Layoffs Are Traumatic

"Being laid off is among the top five stresses -- right up with there with the death of a loved one and divorce," says Bill Sala, vice president and managing director of Innis Co., a human resources consultant based in Houston, Texas. "It's a separation, or a break in a bond, that is as strong in many cases as that with a family member. When that bond is broken, there is trauma."

There have been reports that workers at both Enron and Arthur Anderson received notice of their termination from an email message or on their voicemail. Sala says he has heard the same but couldn't verify it personally. If it did happen, that would be a clear recipe for building an employee with motive for revenge.

Analysts recommend a list of things to do if a company is about to have layoffs:

Be honest with employees about the stability of the company and the potential for layoffs;

Clearly and completely document each worker's access to the network, applications, servers and the physical building;

Shut down remote connections, including PCAnywhere and VPNs;

Close down user names and passwords;

If the person worked in IT, change route access and network access;

Shut down telephone access from the outside;

Make sure handheld devices, smart phones and cell phones are turned in along with PCs and laptops;

Collect security ID cards;

Have monitoring software in place to keep an eye on network traffic;

Make sure the worker's own manager is able to tell the employee that he is being laid off -- not someone unfamiliar from HR;